Now I'm not going to say that handling "canonicalization issues" is easy, mapping urls to local system paths is a tricky problem, there are plenty of similar problems with other web apps and frameworks. And I also can't believe that this wasn't anticipated by someone in that vaunted microsoft QA army.
In the long run, though, I think that this might actually serve to highlight the flexibility and resiliency of asp.net as an agile (buzzword alert) system. The exploit doesn't have to be a show-stopper because the framework is extremely extensible - the recommended fix is literally one line of code in one file. How much cleaner can you get?
This surgical fix is possible because asp.net opens itself up for extension and modification at practically every conceivable point in the whole request-response process - not an original idea necessarily, but one that is proving to be extremely helpful in "future-proofing" modern applications (see the hyper-pluggable eclipse architecture in java-land for a non-web example).
So I'm giving MS credit where it's due on this one, asp.net is not going away anytime soon.